Azure Key Vault Signer

Key Management backed by Azure Key Vault
Use on Kaleido
Coming Soon

The Azure Key Vault provides hardware security modules (HSM) that are maintained in the Azure Cloud. This allows client total control of their cryptographic materials in hardware and firmware without being exposed to any operators including Microsoft. Using an HSM based keys management provides the highest level of security.

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions. The Kaleido service communicates with Azure Key Vault via HTTP over TLS to discover the list of signing accounts and sending it payload to sign. During the entire process the signing keys stay safe inside the customer's Azure Key Vault instance and are never shared with Kaleido.


The Azure Key Vault provides hardware security modules (HSM) that are maintained in the Azure Cloud. This allows client total control of their cryptographic materials in hardware and firmware without being exposed to any operators including Microsoft. Using an HSM based keys management provides the highest level of security.

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions. The Kaleido service communicates with Azure Key Vault via HTTP over TLS to discover the list of signing accounts and sending it payload to sign. During the entire process the signing keys stay safe inside the customer's Azure Key Vault instance and are never shared with Kaleido.


Features

Create and Configure a Kaleido CloudHSM Signer Service 

Azure KeyVault Signer has the ability to interact with the Key Vault in Azure to sign and send transactions to an Ethereum node in the Kaleido environment.


Sign Transactions Using Azure Key Vault

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions.

Total Control

Kaleido CloudHSM service supports using keys maintained by Azure Key Vault to sign transactions.

How it works

Create Kaleido CloudHSM Service

Creation of Kaleido CloudHSM service in Kaleido is a two step process:

  • Specify the type and access details to Azure Key Vault as a configuration under the environment (this can be referenced by one or more cloud HSM service instances created in the same membership)
  • Create the CloudHSM service using the configuration created above

Create CloudHSM configuration for Azure Key Vault

The configuration for Azure Key Vault has the following mandatory parameters:

The following is a sample POST request to create an Azure key vault cloudhsm configuration:

https://console.kaleido.io/api/v1/consortia/:consortia_id/environments/:environment_is/configurations


Create Cloud HSM service

Using the configuration created above, cloud HSM service can be created using the request fields:

FieldUsagenameUser-defined name for the servicemembership_idID of membership under which this service is availableserviceType of service. Must be cloudhsmdetails-- cloudhsm_idID of the configuration created in the previous step

The following is a sample POST request to create a Cloud HSM service that uses an Azure Key Vault backend provider:

https://console.kaleido.io/api/v1/consortia/:consortia_id/environments/:environment_id/services

{
 "name": "cloudhsm-azure",
 "membership_id": "<id>",
 "service": "cloudhsm",
 "details": {
   "cloudhsm_id": "<cloudhsm_configuration_id>"
 }
}

Transaction Signing with Azure Key Vault

Transactions can be sent to the Kaleido CloudHSM service by specifying a from address that corresponds to a SECP256K1 type key that is present in the Azure Key Vault. Any of RPC, WSS or the API Gateway interfaces can be used to send transactions. The URLs for the interfaces can be obtained by querying the service's /status route

A sample GET request to obtain the service status is as below:

https://console.kaleido.io/api/v1/consortia/:consortia_id/environments/:environment_id/services/:service_id/status

When a eth_sendTransaction request is received by the Kaleido CloudHSM service, it uses the from address to determine whether the configured backend cloud HSM contains the keys for the address. The Kaleido CloudHSM service sends a /sign request with the KEY ID of the from address and the transaction payload to Azure Key Vault to sign. If the request succeeds, Key Vault returns the signature, from which the Ethereum signature parameters - R, S and V are extracted, as well as making sure the S value is compatible with Ethereum's malleability protection rule, and included in the transaction before sending it to the Ethereum blockchain node in the Kaleido environment that the service is bound to.

No items found.

Create Kaleido CloudHSM Service

Creation of Kaleido CloudHSM service in Kaleido is a two step process:

  • Specify the type and access details to Azure Key Vault as a configuration under the environment (this can be referenced by one or more cloud HSM service instances created in the same membership)
  • Create the CloudHSM service using the configuration created above

Create CloudHSM configuration for Azure Key Vault

The configuration for Azure Key Vault has the following mandatory parameters:

The following is a sample POST request to create an Azure key vault cloudhsm configuration:

https://console.kaleido.io/api/v1/consortia/:consortia_id/environments/:environment_is/configurations


Create Cloud HSM service

Using the configuration created above, cloud HSM service can be created using the request fields:

FieldUsagenameUser-defined name for the servicemembership_idID of membership under which this service is availableserviceType of service. Must be cloudhsmdetails-- cloudhsm_idID of the configuration created in the previous step

The following is a sample POST request to create a Cloud HSM service that uses an Azure Key Vault backend provider:

https://console.kaleido.io/api/v1/consortia/:consortia_id/environments/:environment_id/services

{
 "name": "cloudhsm-azure",
 "membership_id": "<id>",
 "service": "cloudhsm",
 "details": {
   "cloudhsm_id": "<cloudhsm_configuration_id>"
 }
}

Transaction Signing with Azure Key Vault

Transactions can be sent to the Kaleido CloudHSM service by specifying a from address that corresponds to a SECP256K1 type key that is present in the Azure Key Vault. Any of RPC, WSS or the API Gateway interfaces can be used to send transactions. The URLs for the interfaces can be obtained by querying the service's /status route

A sample GET request to obtain the service status is as below:

https://console.kaleido.io/api/v1/consortia/:consortia_id/environments/:environment_id/services/:service_id/status

When a eth_sendTransaction request is received by the Kaleido CloudHSM service, it uses the from address to determine whether the configured backend cloud HSM contains the keys for the address. The Kaleido CloudHSM service sends a /sign request with the KEY ID of the from address and the transaction payload to Azure Key Vault to sign. If the request succeeds, Key Vault returns the signature, from which the Ethereum signature parameters - R, S and V are extracted, as well as making sure the S value is compatible with Ethereum's malleability protection rule, and included in the transaction before sending it to the Ethereum blockchain node in the Kaleido environment that the service is bound to.

No items found.

Additional Resources

Helpful Links

Accelerate your Digital Transformation

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience. Learn about our Privacy Policy here.